Security and Risk

Only days into the Winter Olympics and reports of cyber attacks are making headlines. Officials have confirmed that a cyber attack is to blame for an internet and Wi-Fi shutdown during the opening ceremony.

Noncritical systems were impacted – including the official Olympics website, which according to reports, went offline when organizers shut down servers to address the attack. Wi-Fi service also stopped working.

Whether they’re part of a criminal syndicate or part of a nation-state attack group, cyber attackers love to use high-profile public events as a cover for their malicious activity. Even the most security conscious person can let their guard down when they’re caught up in the spectacle and excitement of something like the Olympics.

With that in mind, here are a few techniques and approaches that we believe attackers will use during the Olympics, both to target spectators on-site and those watching and reading about the Olympics at home or from the office.

Cryptomining

Cryptomining attacks are quickly replacing ransomware as the attacks du jour. Attackers will infect websites that are commonly used to view Olympic activity, stream events or provide news on what’s happening at the games.

By visiting an infected site, users unwittingly donate their computing power resource to mine cryptocurrency on behalf of the attacker – all without users knowing they were part of the process.
These attacks don’t require malware to run on the user’s endpoint. The only indication of the attack may be that your computer runs slower due to loss of computing power.

We’ll dig into crypto-attacks more in a subsequent blog post.High Value Targets: Olympic viewers back home or in the office

Spear Phishing Campaigns

This is one of the most common methods attackers use to gain a foothold on an endpoint or in an organization. Attackers use peoples’ information to specifically target them with a malicious email, in hopes that they’ll click a link and unleash the payload it’s carrying.

There are already reports that attackers have been targeting Olympic officials for months. Whether you’re watching the games from home or attending, be wary of any email that contains links or attachments to information about events, times and websites to watch the games. Vigilance is the best defense against phishing attacks.High Value Targets: Olympic athletes, Olympic officials, country delegations and government representatives, viewers/fans

IoT and Mobile Payment Attacks

Mobile payments and IoT promises to be a big part of the 2018 Winter Olympics. Internet-connected devices have been a favorite target of attackers of the past year, primarily because of the incredibly poor security of most IoT devices. We can expect attackers to test device defenses used during the Olympics – whether it’s cameras, wearables or any other device that will be gathering data on athletes, attendees and officials.

While mobile payments make life much easier for the consumer, the platforms have historically had poor security and represent a real threat to consumer security. Some of the more prevalent mobile payment attacks include spoofed mobile wallets, or malware on the phone itself, which will collect all of your data, passwords and other sensitive information.High Value Targets: Fans/attendees, Olympic athletes, Olympic officials

Public Wi-Fi-Related Attacks

Public Wi-Fi-related attacks are an oldie and attacker favorite – something that has manifested in previous Olympics (or any public event where free Wi-Fi is provided).

These types of attacks are incredibly common – free Wi-Fi is typically poorly secured. It’s fairly easy for attackers to use Wi-Fi sniffing software to ferret out the data transmitted over the network. This becomes worrisome when you use pubic Wi-Fi for sensitive transactions like banking or even entering passwords to websites.

If you’re at the games, be extra careful about what network you’re connecting to and try to avoid accessing websites where you need to enter your passwords, sensitive information (like SS numbers) or banking/financial websites.

In addition to these recommendations, visitors should also consider using a mobile hotspot for Wi-Fi access.High Value Targets: Olympic athletes, fans in attendance

It is the day after Super Bowl LII, and sadly, Patriots fans did not wake up savoring the good feeling of their sixth Super Bowl win with Tom Brady. In our household, there is now a temporary ban on sports radio until talk of this Super Bowl dies down over the airwaves.

Although the game was a big disappointment for Patriots players and fans alike, this year’s Super Bowl ads delivered some fun and entertainment. As I sip my morning coffee, I’m recalling some of my favorite and least favorite ads of Super Bowl LII and drawing parallels between them and cyber security—privileged account security in particular.

So let’s start with (arguably) my least favorite ads of this Super Bowl. One is the Intuit TurboTax ads which featured a poorly animated creature hiding under the bed. The other ad featured a Casper-like ghost hiding in the attic which played much better. The main message of both ads was that U.S. tax payers should not fear or delay filing their taxes. Instead, they should get started now with the friendly assistance of TurboTax’s experts.

And how might this Super Bowl ad relate to privileged account security you ask? Security teams also face hard deadlines and often feel overwhelmed trying “get it all done.” Some organizations delay moving forward with a comprehensive privileged account security program because they don’t know where to begin. But just like April 15 and the “tax man who cometh,” infrastructure and applications will get breached, so it’s essential to proactively mitigate the risks associated with privileged accounts and credentials—whether the risks comes from human error, malicious insiders, or external attackers.

Security teams don’t have to wait until the proverbial April 14 to get started; a good resource to consider is CyberArk’s CISO View report titled, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials.” This report provides an inside look at the lessons learned from several high-profile data breaches and offers a proven framework for an intensive sprint of approximately 30 days to implement a set of controls around privileged credentials.

But what about the best Super Bowl LII ads? Can we learn anything about privileged account security from these as well? But of course! My top three favorite ads were Fire and Ice for Doritos and Mt. Dew, Amazon’s Alexa gets some new voices, and the NFL ad featuring Eli Manning and Odell Beckham’s “Dirty Dancing.” Although the Alexa ad has some obvious cyber security angles (who hasn’t read stories about the “what ifs” of your smart home devices getting hacked), I am going to explore the privileged account security connections of the Manning and Beckham ad instead.

Now the connection to privileged account security for this ad is a tad more subtle than the TurboTax ad. This ad made me think about the organizational issues that sometimes get in the way of companies moving forward with any type of cyber security program, whether privileged account security-related or otherwise. Instead of the harmonious flow of Beckham and Manning and the rest of the team dancing in the background, organizations often let discord between the different parts of the company (security, IT operations, DevOps and developers) get in the way of tackling the security risks that they know are out there and need to get addressed. The consequences of not addressing these risks is, of course, far more serious than a missed touchdown pass or the sack that sealed the Patriot’s defeat at the end of the game.

CyberArk Labs recently published a preview of research on our Threat Research Blog exploring ways to detect Pass-the-Hash (PtH) attacks using the Windows Event Viewer. As follow-up to the highly-referenced post, the Labs team has published a technical research paper with additional details on the technique. The new paper is available via downloaded here.

As a refresher, PtH is an attack technique that leverages stolen credentials. It is often used in sophisticated attacks and represents a significant risk to organizations. This technique involves an attacker stealing account credentials from one computer and using them to authenticate to other access points in a network. Instead of requiring plaintext passwords, PtH attacks allow the attacker to authenticate with password hashes and begin lateral movement in the network over the NTLM protocol.

As part of this research, the Labs Team evaluated a number of scenarios for (PtH) NTLM connections to pinpoint key indicators and to help distinguish between legitimate and illegitimate uses. Based on this exercise, the team designed an algorithm and open source tool (called Ketshash) to aid in detecting live PTH attempts. You can also watch a short demo video of Ketshash here.

Many organizations have embarked upon a cyber security “sprint” in order to significantly reduce their privileged account attack surface. The sprint—designed to yield initial results in just 30 days—focuses on prioritizing the implementation of core controls to protect an organization’s most powerful and vulnerable accounts.

Bolstered by sprint-driven successes and momentum, it’s time for organizations to gear up for the next leg of their security program. They need to turn their “sprint” into a longer-term, sustainable cyber security program. As part of the journey, security teams often have questions about the best path forward. For example, they ask:

“How do we choose different workflows and controls to implement?”

“How do we risk rank them?”

“What does an ideal state of security look like?”

“How do we track and measure success or even support the program from a people perspective?”

Let’s focus on two fundamental elements for a successful, long-term program. The goal is to significantly reduce the risk of privileged credential theft. Keeping the attack pathway in mind, you want to shut down access to credentials and minimize what attackers can do with any credentials that are exposed. Ideally, also limiting how far attackers or malicious insiders can move within the organization using a specific set of credentials.

One: Increase the Coverage of Privileged Account Security Controls across the Organization

During the “sprint,” organizations focus on protecting their most powerful accounts first. This typically includes steps such as isolating and monitoring access to domain controllers and member computers, implementing multi-factor authentication to protect high-risk privileged credentials, eliminating unnecessary accounts and privileges, and establishing credential boundaries.

During the next leg of the journey, the focus shifts to scale—or the implementation of basic credential management & session isolation for human user accounts across as many technologies as possible—while minimally impacting end user experience and productivity. These include accounts linked to Unix devices, databases, network devices and built-in back door IDs. These are very powerful accounts. They exist in every system, yet they’re not typically used on a day-to-day basis by end users. Organizations can move quickly to implement change and showcase demonstrable wins while causing the least disruption possible.

Two: Create an In-Depth Layer of Controls within the Riskiest Assets in the Environment

When it comes to analyzing the risk of a particular work stream (defined as the combination of a particular platform and an account type), it’s important to take three key things into consideration. We sometimes refer to this as a “privilege triad”:

The scope of influence: How many different assets can I affect with a single privileged account? What can this access? Does it cross different network boundaries? Does it cross different risk tiers? Who currently has access to these IDs?

Level of privilege: How much can I do with a given privileged account once I hit a system? How are we granting privilege in the first place, and can we granularly control it?

Ease of compromise: What controls do I have, or lack, today within my environment for this particular work stream? Do people actually know about these credentials directly? Are they using them from their workstations? Are we rotating them? What sort of underlying vulnerabilities might exist within this particular technology to begin with?

Security and industry experts have long advocated for the need to increase the protection of critical infrastructure – including transportation systems, energy and utilities providers, and financial services. The implications of an attack on our nation’s systems are far reaching – from disrupting delivery of key services to impacting public safety.

Just recently, researchers presented an analysis of Triton, a malware used in the third ever recorded cyber attack against industrial equipment. Findings indicate that the malware was able to enter the plant via an exploit in “security procedures that allowed access to some of its stations as well as its safety control network.” Additionally, recent erroneous alerts regarding missile strikes caused panic in Hawaii and Japan – each alleged to be the result of human error. These incidents shine an important light on the cyber security procedures used to safeguard these critical systems – from external attackers or insiders, whether intentional or not.

From an attacker perspective, whether they already compromised the network or target a specific mission critical objective, their TTP (tactics technique and procedure) will include getting access to privileged accounts to achieve their ultimate goal.

Historically, we’ve seen situations where the software and systems used to run critical infrastructure were compromised through shared privileged accounts and default passwords that haven’t been changed. These hardcoded passwords are static and can be guessed or brute forced by attackers. Once attackers gain access to privileged accounts, they can gain full control to the system.

In past attacks on similar systems, the attackers used this access to emergency communications for ‘prank attacks,’ such as the case in Montana in 2013 where a zombie outbreak was broadcast to residents. In light of the severity and panic-inducing nature of the recent erroneous emergency reports, these former ‘prank attacks’ take on a more ominous outlook in demonstrating the destructive potential of such false alerts.

These examples also provide insight into how malicious attackers could compromise sensitive systems and infrastructure, as well as the steps needed to protect them from outside attacks. This starts with identifying where privileged accounts exist, implementing stronger management of the credentials that provide access to and control over such critical infrastructure, and ensuring ongoing management and visibility into those accounts.